Bug 627712 (CVE-2010-1806)

Summary: CVE-2010-1806 webkit: memory corruption in handling of run-in styling (ZDI-CAN-806)
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: security-response-team, stransky, vkrizan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-05 08:18:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 806808    

Description Vincent Danen 2010-08-26 17:55:12 UTC 
A use after free issue exists in WebKit's handling of elements with run-in styling. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of object pointers. Credit to wushi of team509, working with TippingPoint's Zero Day Initiative for reporting this issue.

References:

https://bugs.webkit.org/show_bug.cgi?id=41375
http://trac.webkit.org/changeset/63772
Comment 1 Vincent Danen 2010-09-08 17:42:31 UTC 
This is now public:

http://support.apple.com/kb/HT4333